Skip to content

Commit

Permalink
Add note about not supporting customer managed keys (#1025)
Browse files Browse the repository at this point in the history
Signed-off-by: Mikayla Thompson <[email protected]>
  • Loading branch information
mikaylathompson authored Sep 30, 2024
1 parent 5db2d5b commit a529050
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,9 @@ If you are concerned about this scenario, we recommend fully mitigating it by pu
The output tuples, available on the shared EFS volume via the Migration Console, contain the exact requests and responses received from both the source and target clusters with the headers and the body of the messages. The Authorization header is present on SigV4 signed requests and those using basic authorization, and with basic authorization credentials can be extracted from the header value. These values are often essential for debugging and so are not censored from the output.

If you use basic authorization credentials, ensure that access to your output tuples is protected similarly to the credentials themselves.

### Customer Managed Keys are not supported by the migration infrastructure
Each of the AWS services that are interacting with data will encrypt all data being stored at rest. While the services themselves can support performing the encryption via a KMS Key, the CDK deployment option of Migration Assistant doesn't have the ability to set a customer key for any of those services. That will leave all of the data at rest encrypted, but not under the control of a customer's KMS Key. See the links below for more details on forthcoming support:

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
[Issue #1026](https://github.com/opensearch-project/opensearch-migrations/issues/1026)

0 comments on commit a529050

Please sign in to comment.